Conventional malware detection technology collects samples of malware available to date, extracts a certain character string that is the signature of malware from the collected samples, and determines whether a particular computer is infected with malware depending on the existence of the extracted character string in files of a diagnostic target computer system, and the like.
Therefore, when new malware is discovered, an apparatus for repairing malware must be developed to identify the nature of the new malware, extract a predetermined character string that is the signature of the new malware, and detect malware. The existing apparatus for repairing malware may not detect the new malware before information about malware is added and thus damage from the new malware may not be prevented. Also, the types of character strings that are the signatures of malware increase in proportion to the increase in the types of malware. Therefore, it takes more time to detect the existence of the character strings that are the signatures of malware.
For example, in the case of a mobile device that is supplied with power using a battery and the like, such as a mobile phone, a personal digital assistant (PDA), and the like, the mobile device consumes power to extract a character string from a particular computer program and verify whether the extracted character string is the same as a character string corresponding to the signature of conventional malware. Due to the power consumption, time available to run the mobile device is inevitably reduced.
Also, according to a conventional art, if a hacker's attacks reveal a vulnerability of a computer, a program manufacturer may guard against the hacker's attacks using a patch program that corrects the vulnerability. However, there are no distinct solutions for other attacks on the underlying vulnerabilities.
Most malware are not new programs that differ from existing malware, but most malware correspond to variants of the existing malware, and behave in a similar manner as the existing malware. However, in order to detect the variants of the malware, a new character string that is extracted from each variant must be used instead of a character string that is extracted from the existing malware. Therefore, a plurality of character strings must be provided to detect a plurality of variants respectively.